SUBSCRIBE:

Why doesn't Skype include stronger protections against eavesdropping?

Share

Skype has long claimed to be "end-to-end encrypted", an architectural category that suggests conversations over the service would be difficult or impossible to eavesdrop upon, even given control of users' Internet connections. But Skype's 2005 independent security review admits a caveat to this protection: "defeat of the security mechanisms at the Skype Central Server" could facilitate a "man-in-the-middle attack" (see section 3.4.1). Essentially, the Skype service plays the role of a certificate authority for its users and, like other certificate authorities, could facilitate eavesdropping by giving out the wrong keys.

This security limitation has concerned us for a long time. In 2012, Chris Soghoian argued that, for this reason, "Skype is in a position to give the government sufficient data to perform a man in the middle attack against Skype users." Soghoian argued that Skype should change its design to eliminate this ability, or else disclose the risk more prominently. One way of limiting man-in-the-middle attacks would be for Skype to introduce a way for users to do their own encryption key verification, without relying on the Skype service. As Soghoian notes, that's what many other encrypted communications tools do - but such a verification option is missing from Skype. (Users may independently verify the authenticity of the keys presented by people they're talking to in encryption systems such as PGP, OTR, HTTPS, and ZRTP.) Back in 2011, we publicly asked Skype to introduce this feature, at least as an optional way for users to check they weren't being spied on. To date, no key verification feature has been introduced.

Prior to its acquisition by Microsoft, Skype maintained some ambiguity about its interception capabilities, but occasionally indicated that the existing encryption prevented any and all wiretapping; in 2008, for example, Skype said it "would not be able to comply with" a request to wiretap a Skype user, partly due to encryption. (However, there was convincing evidence earlier in 2013 that the company now has access to the decrypted text of users' instant messages, even though the 2005 audit report named "text" as a category of information that should be protected by Skype encryption.)

A Guardianreport now seems to show the situation has changed drastically from the company's former claims on this point, stating that Microsoft has turned over Skype conversation contents to the U.S. government since at least February 6, 2011.

Microsoft's response to the Guardian contains a particularly interesting tidbit:

Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues.

What could Microsoft mean by this? Why would Microsoft be legally required to "maintain the ability" to spy on users, for reasons it doesn't feel at liberty to tell us about?

It's not clear whether this statement refers directly to Skype, but it raises interesting questions, some of which Julian Sanchez ponders at Ars Technica. There's no known basis in U.S. law for forbidding Internet technology developers to create communications systems without the ability to spy on users, so it's fascinating to see Microsoft's suggestion of "legal obligations [that] require that we maintain the ability to provide information". In other contexts, the law specifically does not require technology developers to have an ability to do so. Even the Communications Assistance for Law Enforcement Act (CALEA), which requires some companies to develop wiretap capabilities, says

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

47 USC §1002(b)(3).

(There are other reasons that CALEA itself probably wouldn't be relevant here; for example, at least for purposes of Skype-to-Skype calls, Microsoft has a strong argument for its public position that "[CALEA] does not apply to any of Microsoft's services, including Skype, as Microsoft is not a telecommunications carrier". Of course, it's sometimes possible that CALEA gets applied to communications systems in ways that we can't see on the surface; after all, we don't get to see CALEA compliance orders or agreements.)

Suppose that Microsoft's statement does refer to the ability to surreptitiously intercept Skype calls. If Microsoft (or Skype) didn't originally have any obligation to be able to spy on users in the first place, how could it have found itself "require[d to] maintain the ability" to do so?

A secret order from the FISA Court, which might be among the "aspects of this debate" that Microsoft finds its unable to discuss, could provide a new reason why Microsoft doesn't act to better protect Skype users against eavesdropping. If the secret order required Microsoft to turn over Skype users' communications on an ongoing basis, Microsoft might fear that changing the Skype technology in a way that stopped it from complying would violate the order. It's also possible, given the New York Timesreport from Sunday 7 July 2013, that the FISA Court has secretly reinterpreted CALEA or other surveillance laws so that Internet services like Skype fall more directly under them.

If such secret orders are being renewed regularly, there might never be any span of time in which Microsoft is not subject to such an order. Continuing orders to turn over Skype users' calls could then purport to preclude Microsoft from ever changing Skype's design or feature set to make it more private. While this is admittedly speculative, it raises a real danger: aspects of communications technology could be frozen as they were at the moment the surveillance started, under a secret order that is interpreted to prevent adding the security features to Skype that we and others have requested.

This situation would be remarkable: if it turns out to be the case, it would be a previously unknown way for the government to exercise an ongoing control and influence over the design of communications tools - potentially stopping innovation and preventing companies from choosing to roll out new privacy and security features.

Stranger still, Microsoft made another ambiguous statement on Tuesday 16 July 2013 that can be read to suggest that users won't be able to expect any communications technology to protect them against government spying in the future:

Looking forward, as Internet-based voice and video communications increase, it is clear that governments will have an interest in using (or establishing) legal powers to secure access to this kind of content to investigate crimes or tackle terrorism. We therefore assume that all calls, whether over the Internet or by fixed line or mobile phone, will offer similar levels of privacy and security.

That's certainly not the case today, legally or technically - today, different kinds of calls offer drastically different levels of privacy and security. On some mobile networks, calls aren't encrypted at all and hence are even broadcast over the air. Some Internet calls are encrypted in a way that protects users against some kinds of interception and not others. Some calls are encrypted with tools that include privacy and security features that Skype is lacking. Users deserve to understand exactly how the communications technologies they use do or don't protect them. If Microsoft has reasons to think this situation is going to change, we need to know what those reasons are.

More from Digital Rights

Laws passed since Vladimir Putin's return to the presidency in May 2012 have dramatically strengthened the Russian authorities’ control over the flow of information online and offline. Much of this crackdown has been fuelled by Russia’s foreign policy, in particular its role in the conflict in neighbouring Ukraine and its armed intervention in Syria.

The Cyber Harassment Helpline was launched after the successful completion of the Hamara Internet (translates as “Our Internet”) project, and based on its findings in the “Measuring Pakistani Women's Experience of Online Violence” report

While AI impacts a plethora of rights, ARTICLE 19 and Privacy International are particularly concerned about the impact it will have on the right to privacy and the right to freedom of expression and information.

Based on extensive interviews with writers, poets, artists, activists, and others personally affected by the government’s grip on online expression, as well as interviews with anonymous employees at Chinese social media companies, the report lays bare the destructive impact of the Chinese government’s vision of “cyber sovereignty” on netizens who dare to dissent.

The general trend over the past 10 years has been bleak, with an overall negative trajectory for press freedom. The major turning point was the election of Xi Jinping as General Secretary of the Communist Party of China in 2012 and President of China in 2013.

Pakistan has been slow to recognize that violence, threats and harassment faced online by journalists reflects the violence they are exposed to offline. A nationwide survey of working journalists was conducted to ascertain their level of digital insecurity, to record their experiences and the protections they desired from the journalist community, their media organizations, and the government.

Internet Landscape of Pakistan is an indigenous effort to regularly monitor and document the ongoing trends and challenges that impact digital and human rights in the country. This is the third edition in the series.

The report examines the rise of fraudulent news, defined here as demonstrably false information that is being presented as a factual news report with the intention to deceive the public, and the related erosion of public faith in traditional journalism. The report identifies proposed solutions at the intersection of technology, journalism, and civil society to empower news consumers with better skills and tools to help them process the torrents of information they see online.

The lack of a comprehensive legal framework for privacy rights and data protection in Lebanon has led to the adoption of illegal mass surveillance programs and to the violation of individual and collective privacy without repercussions

Since 2012, the Russian authorities have intensified a crackdown on freedom of expression, selectively casting certain kinds of criticism of the government as threats to state security and public stability and introducing significant restrictions to online expression and invasive surveillance of online activity.

In this report we take a closer look on how a traditionally safe space for free speech and expression was transformed into a space of unregulated arbitrary legal practices. We also examine the effect that the ever-changing political objectives, affiliations and temporal objectives all have on the frequency and severity of online political censorship cases.

IFEX publishes original and member-produced free expression news and reports. Some member content has been edited by IFEX. We invite you to contact [email protected] to request permission to reproduce or republish in whole or in part content from this site.

Get more stories like this

Sign up for our newsletters and get the most important free expression news delivered to your inbox.